As I understand it your nginx reverse proxy is on the same network as the containers, so there is not much need to secure the connection between them with TLS (as this is a private network and if an attacker has access to that network he would have access to the server, too, and all the unencrypted data).

If you absolutely want valid certificates to secure the connections on your local network you could create additional sub-domains that resolve to the local IPs. Then you will need to use the manual DNS option to get your certificate (this is a certbot option where you need to manually enter a key as a TXT entry for your domain).

Example Nginx configuration to redirect http to https

server {    listen 80;    server_name example.com;    return 301 https://example.com/;}server{    listen 443 ssl http2;    server_name  example.com;    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;    ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;    location / {        proxy_pass http://container:8080/;        proxy_set_header Host $host;        proxy_set_header X-Real-IP $remote_addr;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;        proxy_set_header X-Forwarded-Proto $scheme;    }    include tls.conf;}

I would go with the out of the box solution:

JWilder Nginx + Lets Encrypt.

First we start NGINX Container as Reverse Proxy:

docker run -d -p 80:80 -p 443:443 \    --name nginx-proxy \    -v /path/to/certs:/etc/nginx/certs:ro \    -v /etc/nginx/vhost.d \    -v /usr/share/nginx/html \    -v /var/run/docker.sock:/tmp/docker.sock:ro \    jwilder/nginx-proxy

Next we start the Lets Encrypt Container:

docker run -d \-v /path/to/certs:/etc/nginx/certs:rw \--volumes-from nginx-proxy \-v /var/run/docker.sock:/var/run/docker.sock:ro \jrcs/letsencrypt-nginx-proxy-companion

For your Websites you need some Environment variables to be set:

docker run -d \--name website1 \-e "VIRTUAL_HOST=website1.com" \-e "LETSENCRYPT_HOST=website1.com" \-e "LETSENCRYPT_EMAIL=webmaster@website1" \tutum/apache-php

The Nginx container will create a new entry in his config, and the lets encrypt container will request a certificate (and does the renew stuff).

More: Nginx+LetsEncrypt

Here is my way to do that:

NGINX Config file (default.conf)

Using the docker image from https://github.com/KyleAMathews/docker-nginx, I did the custom default file as follows:

server {    root /var/www;    index index.html index.htm;    server_name localhost MYHOST.COM;    # Add 1 week expires header for static assets    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {        expires 1w;    }    location / {        # First attempt to serve request as file, then        # as directory, then fall back to redirecting to index.html        try_files $uri $uri/ @root;        return 301 https://$host$request_uri;    }    # If nginx can't find a file, fallback to the homepage.    location @root {        rewrite .* / redirect;    }    include /etc/nginx/basic.conf;}

Dockerfile

Here is my Dockerfile, considering that my static content is under html/ directory.

COPY conf/default.conf /etc/nginx/sites-enabled/defaultADD certs/myhost.com.crt /etc/nginx/ssl/server.crtADD certs/myhost.com.key /etc/nginx/ssl/server.keyRUN ln -s /etc/nginx/sites-available/default-ssl /etc/nginx/sites-enabled/default-sslCOPY html/ /var/wwwCMD 'nginx'

Testing

For local test, change the file /etc/hosts by adding myhost.com to 127.0.0.1 and run the following command:

curl -I http://www.myhost.com/

Result

HTTP/1.1 301 Moved PermanentlyServer: nginxDate: Sun, 04 Mar 2018 04:32:04 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveLocation: https://www.myhost.com/X-UA-Compatible: IE=Edge